New White Paper: “The Complete Guide to Enterprise Risk Management” DOWNLOAD NOW
Listen to: "Understanding the HITRUST CSF Assessment"

Looking to perform a HITRUST CSF assessment? There are a few things you need to know. The first step is scoring your company’s security and privacy controls. To do this, you must use the HITRUST CSF Maturity Model.

What Is the HITRUST CSF Maturity Model?

This model is a continuous improvement cycle used to help organizations comply with the HITRUST CSF. Based on the Prisma model, the HITRUST CSF is a more mature, and consequently more reliable, set of controls. It is used to score both readiness and validated assessments. These scores help drive the HITRUST rating which determines whether an organization will be certified. Categorized into five areas, this criterion evaluates an organization’s compliance within that maturity level.


Policy asks the hard questions about the organization. Do they know what they are supposed to do? Are the requirements outlined in the policy understood across the organization? Is the policy communicated to all pertinent employees? Are the implementation requirements outlined in the policy? Do the policies contain “shall” or “will” statements for each element of the requirement statements? Are the policies and standards for each element of the requirement statement approved by management?


Do formal, up-to-date, documented procedures exist for implementation? Does the process follow the policy, assign responsibility, and provide additional instruction for carrying out the policy? Are the policy requirements documented within the process, and is it understood by those it affects? Are the procedures for implementation of each element of the requirement statement communicated to the individuals that must follow them?


Has the control been implemented? Is the organization implementing all the elements of a specific control, and is that implementation everywhere it should be? Is the intent of each control met and followed? Can it be tested? Are ad hoc approaches that tend to be applied on an individual or case-by-case basis discouraged?


Is the organization able to measure the performance of the control? How is the control being measured for success? Can a statistical analysis be provided, and are threats continuously being re-evaluated? Are self-assessments and audits routinely performed, or data collected to evaluate the adequacy and effectiveness of the implementation of each element of the requirements statement?


Is the organization correcting any problems that have been identified while monitoring the effectiveness of the control? Is it understood? Are security vulnerabilities being managed, and the controls being adapted to emerging threats? Do the decisions around corrective actions consider cost, risk and mission impact?

How Are the HITRUST Controls Scored?

Each level of the HITRUST CSF Maturing Model builds on the previous cycle of continuous improvement. The scoring process has a compliance scale and maturity level which includes Non-Compliant (NC), where very few, if any, elements exist for the level being evaluated; Somewhat Compliant (SC), where less than half of the elements exist for the level being evaluated; Partially Compliant (PC), where approximately half of the elements exist for the level being evaluated; Mostly Compliant (MC), where many of the elements exist for the level being evaluated; and Fully Compliant (FC), where most, if not all of the elements exist for the level being evaluated. Each level adds 25% to the total, with 100% being fully compliant.

The assessor will be required to assign a maturity level score in the MyCSF tool for each control and its compliance with each of the five levels of the HITRUST CSF Maturity Model whether performing a self-assessment or validated assessment.

Get more expert information about the HITRUST CSF Certification Process.

What Is the Difference Between a Readiness and Validated Assessment?

The HITRUST CSF Readiness Assessment allows organizations to self-assess using standard methodology, tools, and requirements of the HITRUST CSF Assurance Program. HITRUST performs limited validation on the results of the self-assessment to provide limited assurance to the entity.

A HITRUST CSF Validated Assessment is conducted by a HITRUST Certified External Assessor. The HITRUST CSF Assurance Methodology is used and the controls are scored according to the model. Assessments that meet or exceed the current HITRUST CSF Assurance scoring requirements for certification are indicated as HITRUST CSF Certified on their validated report.

The MyCSF tool automatically generates scores but knowing how the calculation was created is key. The score for each control is the sum of the products of the weight maturity model level, multiplied by the maturity level rating for all the maturity model levels.

Learn more about the HITRUST CSF Readiness Assessment.

HITRUST Certification helps organizations demonstrate their compliance of information security standards to help mitigate risk. Put the right protocols in place and make sure your organization’s infrastructure meets or exceeds the industry standard. For more information on becoming certified by HITRUST CSF, call the I.S. Partners team at 215-675-1400 for an in-depth consultation and audit.

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1Asset 1Request a Quote Background

Request a Quote

Please fill out the fields below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 642-2230

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.